[tbb-dev] TBB forensic analysis

Mike Perry mikeperry at torproject.org
Fri Mar 27 22:03:49 UTC 2015

jack bloom:
> hi all,
> I've read Runa's forensic analysis of the TBB
> (https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf)
> and I'm currently redoing the analysis of the current TBB. I'm more or less
> following what runa did (plus ram dump/hibernation file), I was wondering if
> you have any suggestions, ideas or any other kind of input on the subject.  I
> asked on #tor and they suggested to say something here.

Refreshing this study will be very useful.

Three things come to mind immediately:

1. Please use Tor Browser 4.5a5, which should appear on the tor-qa list
(https://lists.torproject.org/pipermail/tor-qa/) in the next day or two,
and should be officially released on https://blog.torproject.org on
Tuesday/Wednesday. Tor Browser 4.5-stable should be out in mid-April.

2. With respect to new features in 4.5 that may change disk leaks: the
new .desktop launcher for Linux
(https://trac.torproject.org/projects/tor/ticket/13375), the optional
Windows shortcuts
(https://trac.torproject.org/projects/tor/ticket/14688), and the Windows
authenticode signatures
(https://trac.torproject.org/projects/tor/ticket/3861) all may change
disk records kept by the OS.

Since Runa did that report, we've also updated to a newer version of
Firefox, which should have fixed several leaks in their Private Browsing
Mode (which we use as a basis to prevent disk records of browsing
activity). We've also added an updater, added Pluggable Transport
support, removed Vidalia, and completely reorganized the bundles. Both
Windows and Mac bundles were also changed to use NSIS and DMG packaging
respectively, instead of zip files. There were quite a few more changes,
as well.

3. You may want to have a look over
Those are the disk leaks we know about, and some of them might actually
no longer apply. Information about leaks that no longer happen will be
especially useful to help us triage that list and focus on what still
happens. Any new issues you find should also be tagged with the
tbb-disk-leak keyword. The most serious issues are ones that cause
information about websites that have been visited to be leaked to disk.

Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20150327/fc9c0fd0/attachment.sig>

More information about the tbb-dev mailing list